Share

What’s the Difference Between Malware, Trojan, Virus, and Worm?

There are a lot of heavily technical terms that get used around computer security. Many of them can be a bit hard to explain in a simple manner, so they often get used incorrectly. One of the most frequently (and painfully) misused groups is the terms that differentiate malware from other types of vulnerabilities and threats. I thought I'd clear up the confusion by explaining what malware, trojans, viruses, and worms are and how they're different from one another.

Here’s the basic definition for all the terms we’ll discuss here:

Malware:
This is a big catchall phrase that covers all sorts of software with nasty intent. Not buggy software, not programs you don’t like, but software which is specifically written with the intent to harm.

Virus:
This is a specific type of malware that spreads itself once it’s initially run. It's different from other types of malware because it can either be like a parasite that attaches to good files on your machine, or it can be self-contained and search out other machines to infect.

Worm:
Think of inchworms rather than tapeworms. These are not parasitic worms, but the kind that move around on their own. In the malware sense, they're viruses that are self-contained (they don’t attach themselves like a parasite) and go around searching out other machines to infect.

Trojan:
Do you remember that story you had to read in high school about the big wooden horse that turned out to be full of guys with spears? This is the computer equivalent. You run a file that is supposed to be something fun or important, but it turns out that it’s neither fun nor important, and it’s now doing nasty things to your machine.

VulnerabilityFunny thing about software: it’s written by humans. Humans are fallible and sometimes forget to cross t's and dot i's. Sometimes those mistakes create strange behavior in programs. And sometimes that strange behavior can be used to create a hole that malware or hackers could use to get into your machine more easily. That hole is otherwise known as a vulnerability.

Exploit
The strange behavior that can be used to create a hole for hackers or malware to get through generally requires someone to use a particular sequence of actions or text to cause the right (or is that wrong?) conditions. To be usable by malware (or on a larger scale by hackers), it needs to be put into code form, which is also called exploit code.

So, how do these definitions play out in real life?

Malware is the big umbrella term. It covers viruses, worms and Trojans, and even exploit code. But not vulnerabilities or buggy code, or products whose business practices you don’t necessarily agree with.

Malware = umbrella term.

The difference between malware and vulnerabilities is like the difference between something and the absence of something. Yeah, okay, that’s a bit esoteric. What I mean is malware is a something. You can see it, interact with it, and analyze it. A vulnerability is a weakness in innocent software that a something (like malware or a hacker) can go through.

Flashback is an example of malware that exploited a vulnerability to take over people’s machines. The authors slipped malicious exploit code into otherwise-innocent websites, and this code utilized a vulnerability within Java in order to silently install itself.

Virus is a slightly smaller sort of umbrella term that covers anything that spreads itself without additional human intervention beyond that first double-click.

Virus = smaller umbrella.

It could spread parasitically, meaning the virus code attaches itself to otherwise-innocent files, and keeps infecting more and more files whenever that infected file is run. Viruses can either be destructive (including spying behavior) or they could just be intended to do nothing other than to spread. Non-destructive viruses are pretty rare these days, as everything has become financially motivated.

A virus requires the presence of those innocent files in order to spread. The other scenario is that it could spread as a static, self-contained file. The self-contained file sends itself through shared network connections, by attaching itself to emails or IMs, or even just by sending a link in email or IM to download the file. In this latter, static case, the specific type of virus is called a worm.

Worms are no fun.

The difference between a worm and a Trojan is a tricky one that may not seem to matter much if you’re the one being affected. If you got infected with the Melissa email worm way back when, you may remember the difference: you don’t have to worry about just your own machine getting messed up, now you have to worry about those first 50 people in your email address book who’ve now just been sent a copy. (Those people are probably gonna be pretty righteously peeved at you.)

Trojans really have only one purpose, and that is to cause damage.

Don't be fooled!

They often have identical destructive functionality to some viruses; they just lack the ability to spread on their own. Trojans must be planted somewhere people are likely to run across them (like Flashback), or they must be sent directly (like in a targeted attack such as Imuler). This confusion is what leads some people to refer to things as “Trojan viruses,” even though those two terms are mutually exclusive.

Hopefully that clears things up a bit! If you have any questions about malware, trojans, viruses, and worms, drop them in the comments.